terraform-ansible

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt contains explicit plaintext secret examples (e.g., sk-..., AKIA..., supersecret123, my-vault-password) and instructs writing/encrypting them into files and passing vault_password parameters, which would require the agent to include secret values verbatim in commands or tool calls.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's playbooks and scripts explicitly clone and execute external, user-generated content (e.g., "git: repo: https://github.com/org/app.git" in playbook.yml and ansible-galaxy installs like geerlingguy.nginx), which the agent is expected to fetch and run as part of its workflow, allowing third-party instructions to affect actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The Ansible playbooks clone and install from the remote repository https://github.com/org/app.git at runtime (git tasks and pip install from the repo), which fetches and causes execution of external code the workflow depends on.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill includes explicit privileged actions—Ansible tasks that create users and write systemd and /etc files, use --become, local-exec provisioners that read/write local sensitive files (e.g. ~/.ssh/id_rsa, /etc/hosts), and scripts that create vault/password files—so it directs the agent to modify system state and perform privileged operations that can compromise the host.